Find Unsanctioned Software

Watch the “Find Unsanctioned Software” video, or read below.

Unsanctioned software often includes potentially unwanted software and applications that cause concern for IT, security, and risk teams. These applications may include software that has legitimate use, but can also be used for malicious intent.

Common Challenges For Finding Unsanctioned Software

Even with security controls in place, it’s very likely that some devices in your organization are running unsanctioned, potentially malicious software. Many programs originally designed for legitimate use can also be exploited later. This means security and IT teams spend a significant amount of time maintaining a list of sanctioned software, and even more time hunting down devices that fall out of compliance with that list.

IT & Security teams are challenged to identify all instances of unsanctioned software across all assets because:

• It’s not easy to search across existing asset inventories
• Information in asset inventories may not contain a list of all installed software
• Installed software that is listed may be outdated in one tool but not another, leading to conflicting data
• Software inventory lists are derived from one, and not multiple sources

How To Find Unsanctioned Software With Axonius

Axonius makes it easy to identify unsanctioned software installed across all devices in your environment.

Find All Installed Software
On the devices page, you can add installed software into the column view to gain a full list of installed software.

Search for unsanctioned software

Using the Axonius Query Wizard, you can search by software name, version, or description. A simple way to find unsanctioned software is to reference of unsanctioned software defined in your company.

For example, the following names are commonly used in Axonius queries for unsanctioned software:

• Peer to Peer Networks: Tor, Torrent, TikTok, WeChat, PopcornTime
• Cracking Tools: AirCrack, L0phtcrack, Brutus
• Protocol Analysis Tools: winpcap, wireshark, mergcap, mergecap, npcap
• Vulnerability mapping and pentest tools: dsniff, metasploit, nessus, nikto, nmap
• Cryptocurrency Wallets and Miners: btcminer, bfgminer, cgminer
• Gaming: Pokerstars, Discord, Steam, etc
• Native applications that can be used for malicious purposes: nmap, mimikatz, dsniff, wireshark, metasploit,
• Keyloggers / Password crackers: davegrohl
• Remote Access Tools (RATs): Poison Ivy, Sakula, KjWorm, Havex, Dark Comet, AlienSpy
• Unsanctioned IT & Security tools: any unsanctioned platforms including VPN, Antivirus, Cloud storage, and more.

Recommended Data Sources

To find unsanctioned software, you will need to connect to adapter sources that glean lots of information on devices directly. These include:

• Vulnerability Assessment Tools
• Configuration & Patch Management tools
• Endpoint Security Agents

Using the Axonius Security Policy Enforcement Center, you can also initiate WMI scans to generate a list of installed software for all windows devices.

Example Queries

The quickest way to identify unsanctioned software is to search across all adapter connections. This can be done by using the Axonius Aggregated dropdown in the Query Wizard on the devices page.

Search by Software Name

Searching for specific unsanctioned software can be done by using the Installed Software: Software Name field. Using the OR switch and the contains function allows searches for multiple software instances simultaneously. This query below shows a search for any device that has metasploit, or nmap.

Search by Software Vendor

If there are certain software vendors your company does business with, you can simply search by the software vendor using the Installed Software: Software Vendor field.

For example, the query below shows any installations of Adobe software.

Example Enforcements

Using the above sample queries as triggers, you can use the Axonius Security Policy Enforcement Center to alert teams or create incidents whenever unsanctioned software is found. Examples include:

• Send an email to select team members with a description
• Send a slack notification with a description
• Create an incident in ticketing platforms such as ServiceNow, ZenDesk, Cherwell, and other ticketing platforms

Sample Charts

Once you have a saved query that is tracking software of interest, creating a chart to track installed software can be an easy way to track data over time.

Creating a Field Segmentation Chart and segmenting the chart by Software Name provides a digestible and searchable spot to track the count of any specific software name. You can also create a field segmentation chart that simply displays all software installed, and search for specific software via the chart.